RBAC: Role based Access Control
RBAC gives more control over actions an account can perform
System defines
Permissions to perform some action
Roles: a set of permissions that have some relation
Operations
Grant: Assign and allow
Deny: Assign and do not allow
Revoke: Remove
Precedence of operations
Grant
Deny
If you are granted some action by a role but you have denied that permission, the action can not be done.
Rules
Permissions can have linked permissions (thus creating a role).
An account can be assigned granted and denied roles. Permissions inherited from roles are granted if roles is granted and denied if roles is denied.
An account can be assigned granted and denied permissions.
An account can have multiple roles and permissions.
An account can not have same permission or role granted and denied at same time.
Id 0 can not be used to define a permission.
Permissions (default permissions)
See rbac_permissions table for complete listing of available permissions and associated id. This table is self-explanatory.
In-game commands
Name | Syntax | Description |
|---|---|---|
.rbac account | Syntax: .rbac account [$account] | View permissions of selected player or given account Note: Only those that affect current realm Note: Shows real permissions after checking group and roles |
.rbac account permission | Syntax: .rbac account list [$account] | View permissions of selected player or given account Note: Only those that affect current realm Note: Only those directly granted or denied, does not include inherited permissions from roles |
.rbac account grant | Syntax: .rbac account grant [$account] #id [#realmId] | Grant a permission to selected player or given account. #reamID may be -1 for all realms. |
.rbac account deny | Syntax: .rbac account deny [$account] #id [#realmId] | Deny a permission to selected player or given account. #reamID may be -1 for all realms. |
.rbac account revoke | Syntax: .rbac account revoke [$account] #id | Remove a permission from an account Note: Removes the permission from granted or denied permissions |
.rbac list | Syntax: .rbac list | View list of all permissions. If $id is given will show only info for that permission. |
Related tables (`auth` database)
Table Name | Table Description | Field Name | Field Type | Field Description |
|---|---|---|---|---|
rbac_account_permissions | Account-Permission relation | accountId | int | Account id |
permissionId | int | Permission id | ||
granted | int | Granted = 1, Denied = 0 | ||
realmId | int | Realm Id, -1 means all | ||
rbac_permissions | Permission List | id | int | Permission id |
name | text | Permission name | ||
rbac_default_permissions | Default permissions to assign to a specific security level (account_access) | secId | int | Security Level id |
permissionId | int | Permission id | ||
rbac_linked_permissions | Assigns permissions to roles (see rbac_permissions for permissions with name "role") Can also be used to link permissions to permissions (creating new roles) | id | int | Security Level id |
linkedId | int | Permission id |
Suggestion
Create a web interface (in PHP or other accessible web technology) to ease the management of the RBAC system.
If simple and good enough, it could possibly be added to TrinityCore repository (/contrib/ directory)!